End-of-Day report
Timeframe: Montag 27-03-2023 18:00 - Dienstag 28-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
New MacStealer macOS malware steals passwords from iCloud Keychain
A new info-stealing malware named MacStealer is targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files.
https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware-steals-passwords-from-icloud-keychain/
Exchange Online to block emails from vulnerable on-prem servers
Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them.
https://www.bleepingcomputer.com/news/security/exchange-online-to-block-emails-from-vulnerable-on-prem-servers/
Cybersecurity Challenges of Power Transformers
To the best of our knowledge, there is no study in the literature that systematically investigate the cybersecurity challenges against the newly emerged smart transformers. This paper addresses this shortcoming by exploring the vulnerabilities and the attack vectors of power transformers within electricity networks, the possible attack scenarios and the risks associated with these attacks.
https://arxiv.org/abs/2302.13161
OpenSSL 1.1.1 End of Life
We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. [..] OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date.
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
The curl quirk that exposed Burp Suite & Google Chrome
Although this feature took us (and Chrome) by surprise, it is fully documented so we dont consider it to be a vulnerability in curl itself. It reminds me of server-side template injection, where a sandbox escape can be as easy as reading a manual page everyone else overlooked.
https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome
Abo-Falle auf produkttester-werden.org
Produkttester-werden.org wirbt mit der Möglichkeit, regelmäßig und gratis Produkte testen zu können und dafür bis zu 25 Euro Aufwandsentschädigung zu erhalten. Schon bei der Erstregistrierung werden aber persönliche Daten inklusive IBAN abgefragt, eine Einzugsermächtigung verlangt und ein kostenpflichtiges Abonnement über einen versteckten Kostenhinweis abgeschlossen. Wir raten zu Abstand!
https://www.watchlist-internet.at/news/abo-falle-auf-produkttester-werdenorg/
Emotet Being Distributed via OneNote
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document.
https://asec.ahnlab.com/en/50564/
Vulnerabilities
Apple patches everything, including a zero-day fix for iOS 15 users
Got an older iPhone that cant run iOS 16? Youve got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too.
https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-including-a-zero-day-fix-for-ios-15-users/
FortiOS / FortiProxy - Unauthenticated access to static files containing logging information (CVE-2022-41329)
An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP or HTTPs GET requests.
https://fortiguard.fortinet.com/psirt/FG-IR-22-364
OpenSSL Security Advisory: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)
Severity: Low
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. nvalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. [..] Policy processing is disabled by default
https://www.openssl.org/news/secadv/20230328.txt
[webapps] Moodle LMS 4.0 - Cross-Site Scripting (XSS)
A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP [..]
https://www.exploit-db.com/exploits/51115
Security updates for Tuesday
Security updates have been issued by Debian (dino-im and runc), Fedora (qemu), Red Hat (firefox), SUSE (chromium, containerd, docker, kernel, and systemd), and Ubuntu (graphicsmagick, linux-azure, linux-gcp, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and node-url-parse).
https://lwn.net/Articles/927548/
Cisco SD-WAN vManage Software Cluster Mode Cross-Site Request Forgery Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vman-csrf-76RDbLEh
IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183
https://www.ibm.com/support/pages/node/6966410
IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138
https://www.ibm.com/support/pages/node/6966400
IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2022-31129, CVE-2022-24785
https://www.ibm.com/support/pages/node/6966418
IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-21252
https://www.ibm.com/support/pages/node/6966412
IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203
https://www.ibm.com/support/pages/node/6966416
IBM Engineering Workflow Management (EWM) vulnerability CVE-2022-24999
https://www.ibm.com/support/pages/node/6966420
IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283)
https://www.ibm.com/support/pages/node/6964836
A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact(CVE-2022-3509, CVE-2022-3171)
https://www.ibm.com/support/pages/node/6966436
There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160)
https://www.ibm.com/support/pages/node/6966428
Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency
https://www.ibm.com/support/pages/node/6966084
Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540
https://www.ibm.com/support/pages/node/6966434
IBM Tivoli Netcool Impact is vulnerable to remote code execution from Apache Commons Net (CVE-2021-37533)
https://www.ibm.com/support/pages/node/6966438
IBM Tivoli Netcool Impact is vulnerable to denial of service attack due to Apache Commons FileUpload (CVE-2023-24998)
https://www.ibm.com/support/pages/node/6966440
There is a vulnerability in jQuery UI used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31160)
https://www.ibm.com/support/pages/node/6966442
IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284)
https://www.ibm.com/support/pages/node/6966588
A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-26281]
https://www.ibm.com/support/pages/node/6966600
A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690]
https://www.ibm.com/support/pages/node/6966602
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-26283)
https://www.ibm.com/support/pages/node/6966604
IBM App Connect Enterprise Certified Container images may be vulnerable to denial of service due to libarchive [CVE-2017-14166]
https://www.ibm.com/support/pages/node/6966610
IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service due to [X-Force 247595]
https://www.ibm.com/support/pages/node/6966612
IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307]
https://www.ibm.com/support/pages/node/6966636
There is a security vulnerability in snakeYAML used by IBM Maximo Data Loader (CVE-2022-41854)
https://www.ibm.com/support/pages/node/6966646
There is a security vulnerability in TinyMCE used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-23494)
https://www.ibm.com/support/pages/node/6966644
Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047]
https://www.ibm.com/support/pages/node/6966652